Professional Documents
Culture Documents
Design Article
82 Tweet
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 2 of 15
a full-fledged security gateway sitting between the corporate network and the
the Internet, or as part of the router itself, IPSec and an
complete cryptographic security.
VPN Applications
There are three basic flavors of IPSec VPNs, each with an associated set of b
requirements (Figure 1):
Remote-Access VPNs: These let individual users, such as telecommuter
corporate network. The user's laptop usually contains a VPN client that cr
tunnel to the security gateway at the corporate headquarters. Another flav
application is offered via creating an L2TP/PPTP session that is
Intranet VPNs: This type connects branch offices to the corporate headq
creating a transparent Intranet.
Extranet VPNs: These let companies connect with their business partner
suppliers, customers, and joint ventures).
Basics of Cryptography
Cryptography is a set of mathematical functions that forms the foundation of a
With respect to IPSec, the following functions are
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 3 of 15
Note that symmetric key algorithms are computationally much faster than
algorithms. For efficiency, symmetric-key algorithms like DES or 3DES are
preserving confidentiality. Public-key algorithms are used in a "hybrid" or
mode to achieve authentication and non-repudiation.
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 4 of 15
Tunnel Mode: This mode is used to provide data security between two n
protection for the entire IP packet and is sent by adding an outer IP head
the two tunnel end-points. The unprotected packets generated by hosts tr
protected "tunnel" created by the gateways on both ends. The outer IP
corresponds to these gateways. Both intranet and
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 5 of 15
mode. Since tunnel mode hides the original IP header, it facilitates securi
with private IP address space.
IPSec Architecture
IPSec is an open, standards-based security architecture.
following concepts that are the building blocks of the
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 6 of 15
Security Parameter Index (SPI) is a 32-bit value used to identify an SA. The S
IPSec header of the protected packet and has local significance
that are either created manually or automatically through negotiation, indexed
3. Pass through (pass the packet to the IP stack for normal forwarding).
The "Policy Manager" module is the interface between the user adding a secu
SPD. The "IKE Daemon" module does the automatic SA negotiation between
The "Certificate Manager" verifies and enrolls certificates for
In short, a typical packet flow inside this architecture proceeds as follows:
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 7 of 15
A packet is received through the receive queue and passed to the IPSec
module.
If the policy is "IPSec", the SPD entry should point to an SA in SAD. The
fetches the corresponding SAD entry and checks for validity. If the SA sta
module indicates the IKE Daemon for another SA
All the transforms depicted in the SA are performed on the packet with th
"cryptography" module.
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 8 of 15
Figure 6 shows how AH and ESP are used in tunnel mode to protect an IP pa
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 9 of 15
IKE defines the mechanism to establish SAs required to secure the packets
IPSec peers. As defined in Figure 3, the main components of an SA are the
(the algorithm and the key) that will be used to protect data.
way of negotiating these details between the two peers.
Main Mode
Figure 7 shows the basic main-mode message exchanges. In main m
negotiating parties use six messages: the first two messages to nego
policy that will be used to protect the phase II messages. The next tw
perform a Diffie-Hellman key exchange and pass nonces (random nu
signing) to each other. The last two messages are used to authentica
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 10 of 15
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 11 of 15
Aggressive Mode
In aggressive mode, you need only three messages to establish the I
the identities of the parties involved are revealed.
exchanges.
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 12 of 15
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 13 of 15
Packet Processors
These take in a packet along with an SA and do the complete packet pro
example, the addition of the AH or ESP header, as required) in addition to
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 14 of 15
prior functionality.
Conclusion
IPSec is a thorough and complete solution for protecting IP traffic. IPSec prote
against unauthorized modification and eavesdropping, and also securely
communicating parties. Because of the cost-savings potential
interest in security, the VPN market is still growing strongly despite a nearly tw
economic downturn. Infonetics Research has forecasted
expenditures to grow 117%, from $21.3 billion to $46.2 billion between 2002 a
certain problem areas that need to be addressed are as follows.
The protocol is as strong as the underlying algorithms it employs, so proper a
important to network security. Furthermore, for smooth operation, IPSec requi
infrastructure (PKI). Such infrastructures are still in their infancy, and
infrastructures are just emerging on the Internet. All
access policies is a complicated field and a thorough knowledge of several co
to properly administer these policies. Finally, as IPSec and IKE are evolving s
interoperability between different vendors is still a problem.
Still, the overall impact of IPSec will be tremendous in the years to come. IPS
to securely connect offices, users, and partners to the network and safely tran
a very cost-effective solution. IPSec does this in a manner
users. As the networks migrate to Ipv6, IPSec will become an integral compon
networks as well.
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013
IPSec VPN Fundamentals Page 15 of 15
GLOBAL NETWORK EE Times Asia EE Times China EE Times Europe EE Times India EE Times Japan
EDN Asia EDN China EDN Japan TechOnline India ESC Brazil
FEATURED UBM TECH SITES: EE Times | EBN | EDN | DataSheets.com | Design News | Embedded | TechOnline
OUR MARKETS: Business Technology | Channel | Electronics | Game & App Development
Working With Us: Advertising Contacts | Event Calendar | Tech Marketing Solutions | Corporate Site | Contact Us / Feedback
Terms of Service | Privacy Statement | Copyright 2013 UBM Tech, All rights reserved
http://www.eetimes.com/design/communications-design/4017938/IPSec-VPN-Fundamentals 6/27/2013